Sanitize Your Input In PHP

Here’s a quick and tiny PHP function that I’ve used on many projects to sanitize my input forms. As you are aware of, HTML forms are one source for injecting malicious code in programs to manipulate databases or traverse server directories. To make your programs much more secure, you’ll need to sanitize your inputs before doing anything, especially when dealing with databases. One function I’ve used repeatedly in my scripts is called sanitize(). Here’s the code:

The Code

// Sanitize input
function sanitize($in) {
 return addslashes(htmlspecialchars(strip_tags(trim($in))));
}

The addslashes function returns a string with backslashes to single quote (‘), double quote (“), backslash (\) and NUL (the NULL byte). This is particularly helpful when escaping special characters when dealing with database queries. The htmlspecialchars function converts special characters to HTML entities. For example & (ampersand) becomes & and ‘”‘ (double quote) becomes &quot. This function prevents user-supplied text from containing unintended HTML markup.

The strip_tags function strips HTML and PHP tags from a string. It suppresses unwanted HTML markups from being displayed and prevents malicious PHP code from being executed. The trim function strips white space from the beginning and end of a string. For example, the string ” apple ” with white spaces will become “apple” without white spaces when the trim function is applied.

Usage

You can use the sanitize function to clean up the $_GET, $_POST, $_REQUEST and $_COOKIE input variables. In this example, we will use the sanitize function to clean up the form input called $_POST[‘name’].

$name = sanitize($_POST['name']);

Database Use

Before you can query, insert or update the database, you can use mysql_real_escape_string to escape special characters within your SQL statement to prevent SQL injections.

$name = sanitize($_POST['name']);
$name = mysql_real_escape_string($name);

There you have it. Two short and deliciously simple functions to sanitize your input and prevent malicious code from wrecking your programs. Let me know what you think.